A new breed of really nasty viruses infecting IBM PCs and PC clones


This is a forward from John McAfee:
	A new breed of viruses has surfaced in the past two months.
These viruses are very complex and use sophisticated techniques to
avoid detection, identification and removal.  Since they are new
viruses, they are not yet widespread, but they are destined to become
major problems within the next year.  Among this new breed of viruses
is the 4096, Alabama, Virus-101 and the 1260.  Very little has been
written or discussed about these viruses, so I thought it was about
time to shed some light on a trend I'm sure we will see more of.
	The two most interesting of the new breed are the 4096 and the
1260 viruses.  The 4096 has had few public reports as yet, but this is
not surprising since it is virtually invisible - even if memory
resident filters like Flu-Shot+ or Protec are in use.  It is by far
the most sophisticated virus we have seen.  It is also the largest, as
measured by the number of instructions.  Numerous disassemblers have
copies of this virus, including Dave Chess, Joe Hirst, Morgan Schweers
and others, but we don't yet have a fully documented listing.  We do
know quite a bit however:
	The virus is memory resident and infects COMMAND.COM, EXE
files and COM files.  The virus initially places the machine in
single-step mode and then issues an interrupt 21, sub-function 52 to
determine the real address of the interrupt 21 code within DOS.
Thereafter, it issues a long jump to that location to avoid any
interrupt trapping antivirals that may be resident.  Thus the
infection process, after the virus becomes resident, is transparent.
	The strangest part of the virus is that it is also able to
trap all other disk reads and writes, and whenever an infected file is
accessed by any program, the virus performs a disinfection of the
program on the fly.  Thus checksumming techniques, file length checks,
and other file modification detectors cannot perceive the infection on
the disk.  Even searching the disk for the specific virus code will
fail, since the code is removed from the file during the read request.
Doing a directory of the disk likewise shows no virus effects.  The
real increased length of infected files is subtracted during the
directory listing.
	This characteristic has a surprising side effect: Whenever an
infected file is copied to another file that does not have an
executable extension, the new file turns out to be the original,
uninfected program.  Whenever this uninfected program is copied to any
other file that does have an executable extension, the end result is
an infected program again.
	We don't yet know the exact mechanisms used by this virus, but
we do know it works.  No memory resident virus filter, or system virus
scanner that we are aware of is able to prevent infection from this
virus, or detect an infection after it has occurred - providing that
the virus is active.  The only way, currently, that we know how to
detect this virus is to look for its code in memory.
	The 1260 virus, unlike the 4096, does not do much while active
in memory.  It does, however, have the most sophisticated encryption
technique yet used by a virus.  Not only is the virus fully encrypted,
but the code extractor is also garbled for each occurrence of the
virus.  This makes simple string matching useless for identification.
	There are eight working commands in the Code Extractor; the
remainder are fluff to allow that portion of code to look somewhat
different between implementations.  They are:
  1.   B8 nnnn    MOV AX,immediate
  2.   B9 nnnn    MOV CX,immediate
  3.   BF nnnn    MOV DI,immediate address = END+0028
  4.   31 0D      XOR W[DI],CX
  5.   31 05      XOR W[DI],AX
  6.   47         INC DI
  7.   40         INC AX
  8.   E2 nn      LOOP immediate address

End of article